Aug 182012
 

I’ve been doing the IT thing for a bit now.  In recent years, I’ve found more job satisfaction in finding solutions for complex problems (usually with budget constraints), workflow optimization, and consulting work.  Inevitably, I wind up doing the occasional repair or virus/malware removal job.  Malware removal is probably the type of work I like the least.  Malware removal on older machines (say 4+ years) is especially tedious, given the number of reboots typically required.  While awaiting system reboot, there is plenty of time to contemplate the source of the malware “infection.”

I would say that in the small business world, where company e-mail addresses are used for personal and business purposes, the bulk of malware code introduced to PCs comes from unsolicited e-mail.  It’s amazing how easy it is to trick an unsuspecting user into clicking on a link.  People are so rushed in their work that they miss obvious characteristics of spam e-mail that should be dead giveaways: Spelling and grammatical errors; attachments in .zip format; missing content such as letterhead/company logos, etc.

Since I’ve finally got spamassassin working on the new e-mail server, I’m seeing that our heavy users receive an average of 6 – 8 spam messages an hour during the day.  That explains some malware I’ve had to clean up in the last 18 months.  I guess it’s all the more reason to bring our e-mail in-house.

In conclusion, I would recommend that every small business adopt the following guidelines for use of company e-mail:

  1. Request that users only utilize their company e-mail addresses for company business.  Keep the jokes and topless beach photos to your personal e-mail accounts.
  2. Implement some sort of server-side spam filtering technology.  While client-side filtering allows users to more easily find messages they are looking for, downloading the spam to the e-mail client still leaves the end user vulnerable to malware.

I suppose you could get a little bit more draconian about it and remind users that everything the send/receive via e-mail is the company’s intellectual property…